This morning's Daily Data Debacle article from NY Times
While the banks and payment processors have been targets in the largest and highest-profile attacks, security specialists say the payment system's most vulnerable points may be the estimated five million merchants where cards are accepted.
July 26, 2005
Main Street in the Cross Hairs
By ERIC DASH
Along a crowded stretch of highway just south of Miami's downtown is a shopping area that might be called the data theft capital of the United States. In the wireless hacker equivalent of a drive-by shooting wave, criminals obtained the cardholder information of tens of thousands of customers at four major stores there, including a DSW Shoes retail outlet that appears to have been the initial source of a chainwide data breach.
Recent investigations reveal that the thieves singled out stores with strong wireless signals and weakly protected data. While their exact methods are not known, they could have parked a car outside a store or set up in the local Starbucks, using a laptop computer outfitted with an off-the-shelf wireless receiver. They may have even received help from Web sites listing the geographic coordinates of easy-to-target stores.
From there, it would be easy to pick up signals being broadcast around the store and use them to gain access to its computer systems. For more than a month, the hackers "robbed" the same shops again and again of premium card account numbers stored in their databases.
Then, after security upgrades were announced or investigators showed up on site, the data thieves moved on - to another shop they had already staked out on the same side of the street.
"It was as if they would hit one, drive down the road, and find another," said Bryan Sartin, a lead investigator for Cybertrust, the security services firm that was called in after each of the incidents.
Mr. Sartin is bound by confidentiality agreements not to reveal details about the incidents he investigates. But his account illustrates a larger point: While the banks and payment processors have been targets in the largest and highest-profile attacks, security specialists say the payment system's most vulnerable points may be the estimated five million merchants where cards are accepted.
Unlike banks and other financial institutions, merchants often lack technological expertise and management attention to keep their customers' information secure. The widespread use of wireless technology by businesses, as in homes, has left merchants' computer systems increasingly susceptible.
Meanwhile, the credit card associations, like MasterCard and Visa, have been lax about enforcing their own security rules. And the requirements for retailers to protect consumer data frequently fall through the cracks of government and industry regulations.
"The breaches at processors and Internet gateways are very few and far between," Mr. Sartin said. "About 95 percent of what you are seeing right now are data breaches involving e-commerce merchants and retailers."
And it is no longer just unsophisticated mom-and-pop shops or fly-by-night dot-com companies under attack. Well-known merchants with millions of records are victims, too.
"What people don't recognize is that some of those companies are DSW, BJ's Wholesale or Chipotle," said Robert McCullen, the chief executive of AmbironTrustwave, a Chicago firm that is the payment industry's largest data security auditor. "These are big names."
To be sure, even the largest merchants do not have the treasure troves of cardholder data that a large bank or a payment processor might keep. Merchants also have strong incentives to protect cardholder information, because they often bear the cost of fraud through hefty charge-back fees. But at a time when data crimes are easier and more profitable than ever, they can be easy targets for thieves.
"The problems we are seeing with merchants are problems that many companies have in securing sensitive information," said Jessica Rich, the Federal Trade Commission's director of financial practices. "We are seeing a lot of sloppy practices."
As loyalty programs have grown, retailers are collecting more cardholder information today than ever before. But until recently, most gave little thought to its protection.
The majority of the swipe terminals found at checkout counters now connect over the Internet, instead of by phone, to the Visa and MasterCard networks. Insecure wireless systems that track inventory provide another entry point for grabbing cardholder data, too. As a result, many merchants - especially those that do not have a Web site where consumers can make purchases - are unaware that their computer systems are accessible online.
"I feel bad for some of the merchants we get involved with on a forensics basis because they really don't know what happened," Mr. McCullen said. The terminals, he added, are installed by software and service providers, which get paid each time their products are leased or used. They have no incentive to advise the merchants of the risks.
That may have just happened to a small, family-run Indian restaurant in Santa Clara, Calif., which has only one terminal to punch in customer orders and card numbers. Last week, the owner contacted Tom Arnold, a payments security consultant in the San Francisco Bay area, to report that his store was attacked by data thieves.
"He just bought a piece of restaurant software, installed it on his computer, hooked it up to a D.S.L. line and said I'm good to go," Mr. Arnold said, referring to the high-speed telephone connection.
Security compliance is another challenge. While banks are held responsible for the actions of third-party payment processors they hire to handle their accounts, no federal rules require merchants to safeguard their data. Visa's and MasterCard's contractually binding security standards are the closest proxy.
Yet, merchant advocates complain, those so-called payment card industry standards are often so complicated that the average shopkeeper cannot understand them. Security specialists say that some of the banks, which are responsible for ensuring their merchants are adhering to those data protection policies, can be inattentive to security deadlines or unaware of those rules.
Visa and MasterCard encourage - but do not require - the vast majority of small and midsize merchants to prove their compliance. Only about 400 of the country's biggest retailers and just over 10,000 midsize merchants with a substantial online presence have that obligation. That group must pass an annual security audit, often self-assessed, and conduct quarterly scans of their computer networks for vulnerable points.
Put another way, that means Visa and MasterCard require fewer than three-tenths of 1 percent of the country's estimated five million merchants to certify they are following their security rules. And many of those online merchants missed a recent June 30 deadline.
Steve Ruwe, Visa's executive vice president for operations and risk, said that many merchants "are working toward compliance" but it was "an ongoing event to get them where we want them to be." He argued that the primary responsibility for compliance rests on its member banks, not Visa. "It's Visa's responsibility to act at a holistic level, to provide leadership," he said. "Of course, we have a responsibility but we don't manage them directly."
Chris Thom, MasterCard's chief risk officer, said that all its merchants must follow the rules but that education and encouragement rather than security audits may be the most effective tools with smaller merchants. MasterCard recently tripled its staff to help improve awareness and published its merchant security requirements for the first time last August.
"We are trying to be much more transparent so at least there is a good opportunity for the merchant to understand what is required of him," he said. MasterCard executives have previously suggested that 90 percent of all data compromises could have been prevented if merchants were following their security rules.
Many small merchants, however, still do not conform to the industry's most basic security requirements, like encrypting their customers' data and avoiding the use of commonly known passwords. Most do not conduct quarterly network vulnerability tests that can cost as little as a few hundred dollars.
Still, there are some signs of change. The high-profile data breaches at stores like DSW Shoes, along with a recent unfair practices complaint by the Federal Trade Commission against BJ's Wholesale Club of Natick, Mass., have been wake-up calls to the entire industry. So has the situation at CardSystems Solutions, the small payment processor whose data compromise last month exposed 40 million cardholder accounts. Security auditors and consultants report that more merchants are inquiring about their services and are rushing to sign up.
Meanwhile, a few of the larger card processors and merchant banks have sent letters to businesses insisting on security compliance; some make clear the real possibility of fines. Others have started pressuring the software and service providers to educate their customers and certify that their software and terminals are secure.
Visa and MasterCard are making the case to the merchants themselves. Last Wednesday, Visa said it was forming a partnership with the United States Chamber of Commerce to sponsor seminars for small and midsize businesses about ways to prevent data theft; MasterCard sent a letter to all domestic merchants last November alerting them to the rules. In the past, MasterCard, Visa and others geared their pitches mainly to their member banks and larger merchants.
Of course, Mr. Sartin still expects to be busy. The crimes he saw at the four Miami-area stores could have taken place just about anywhere.
DSW Shoes confirmed that its Dadeland store had been attacked and said that Cybertrust and the United States Secret Service had been investigating. That location, people close to the investigation said, was probably the initial site of the nationwide data compromise that put the accounts of 1.4 million cardholders at risk for fraud.
But the real problem may be the information the thieves have already obtained. Once criminals crack the code for entry to one business location, Mr. Sartin said, they probably have the data security blueprints of others. For some national chains, the passwords and computer system protections can be as similar as the uniforms worn by employees.
"Tell me, do you have a location in Miami?" Mr. Sartin now asks when a national retailer calls. "Is it on the South Dixie Highway?" he adds, before a short pause. "Don't tell me, is it on the odd-numbered side of the street?"
AI
